From 3432c9fbe9674c2b88146f7eff5f3d21d4b1ce46 Mon Sep 17 00:00:00 2001 From: Simon Dodsley Date: Wed, 28 May 2025 16:25:18 -0400 Subject: [PATCH] [Pure Storage] Disable management of secure tenant volumes and snaps FlashArray has enabled secure multi-tenancy, but these volumes and associated snapshots, although visible to the driver, are not eligible for management. This patch ensures that these volumes and snapshots are not listed in the manageable volumes or snapshots list and reports an error if one is still selected to be managed. Change-Id: I85e65ebffecf029c9e29e6ba1d01dfacd28efff7 --- cinder/volume/drivers/pure.py | 29 +++++++++++++++++++ ...ure_realm_manage_fix-eb5fe76e7c55297d.yaml | 5 ++++ 2 files changed, 34 insertions(+) create mode 100644 releasenotes/notes/pure_realm_manage_fix-eb5fe76e7c55297d.yaml diff --git a/cinder/volume/drivers/pure.py b/cinder/volume/drivers/pure.py index 14079f439cb..be04da19453 100644 --- a/cinder/volume/drivers/pure.py +++ b/cinder/volume/drivers/pure.py @@ -1664,6 +1664,10 @@ class PureBaseVolumeDriver(san.SanDriver): " key to identify an existing volume.")) if is_snap: + if existing_ref['source-name'].count("::") > 1: + # Don't allow for managing snaphot in a realm + raise exception.ManageExistingInvalidReference( + _("Unable to manage snapshot in a Realm")) # Purity snapshot names are prefixed with the source volume name. ref_vol_name, ref_snap_suffix = existing_ref['source-name'].split( '.') @@ -1671,6 +1675,10 @@ class PureBaseVolumeDriver(san.SanDriver): ref_vol_name = existing_ref['source-name'] current_array = self._get_current_array() + if not is_snap and self._realm_check(current_array, ref_vol_name): + # Don't allow for managing volumes in a realm + raise exception.ManageExistingInvalidReference( + _("Unable to manage volume in a Realm")) if not is_snap and self._pod_check(current_array, ref_vol_name): # Don't allow for managing volumes in a replicated pod raise exception.ManageExistingInvalidReference( @@ -1977,6 +1985,9 @@ class PureBaseVolumeDriver(san.SanDriver): def _pod_check(self, array, volume): """Check if volume is in a replicated pod.""" if "::" in volume: + if volume.count("::") != 1: + # This is a special for a volume in a realm pod + return False pod = volume.split("::")[0] pod_info = list(array.get_pods(names=[pod]).items)[0] if (pod_info.link_source_count == 0 @@ -1988,6 +1999,16 @@ class PureBaseVolumeDriver(san.SanDriver): else: return False + def _realm_check(self, array, volume): + """Check if volume is in a realm.""" + if "::" in volume: + if volume.count("::") > 1: + return True + else: + return False + else: + return False + def _rename_volume_object(self, old_name, new_name, @@ -2167,6 +2188,7 @@ class PureBaseVolumeDriver(san.SanDriver): cinder_id = existing_vols.get(vol_name) not_safe_msgs = [] host = connected_vols.get(vol_name) + in_realm = self._realm_check(array, vol_name) in_pod = self._pod_check(array, vol_name) is_deleted = pure_vols[pure_vol].destroyed @@ -2176,6 +2198,9 @@ class PureBaseVolumeDriver(san.SanDriver): if cinder_id: not_safe_msgs.append(_('Volume already managed')) + if in_realm: + not_safe_msgs.append(_('Volume is in a Realm')) + if in_pod: not_safe_msgs.append(_('Volume is in a Replicated Pod')) @@ -2231,6 +2256,10 @@ class PureBaseVolumeDriver(san.SanDriver): is_safe = False reason_not_safe = _("Snapshot is deleted.") + if snap_name.count("::") > 1: + is_safe = False + reason_not_safe = _("Snapshot is in a realm.") + manageable_snaps.append({ 'reference': {'name': snap_name}, 'size': self._round_bytes_to_gib( diff --git a/releasenotes/notes/pure_realm_manage_fix-eb5fe76e7c55297d.yaml b/releasenotes/notes/pure_realm_manage_fix-eb5fe76e7c55297d.yaml new file mode 100644 index 00000000000..8ac836e98dd --- /dev/null +++ b/releasenotes/notes/pure_realm_manage_fix-eb5fe76e7c55297d.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Pure Storage driver: Fixed issue with FlashArray secure tenant volumes and + snapshots as theese are not eligible to be managed.